Re: [homenet] [EXT] securing zone transfer
"Ray Hunter (v6ops)" <v6ops@globis.net> Wed, 12 June 2019 12:35 UTC
Return-Path: <v6ops@globis.net>
X-Original-To: homenet@ietfa.amsl.com
Delivered-To: homenet@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 91613120182 for <homenet@ietfa.amsl.com>; Wed, 12 Jun 2019 05:35:22 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id siIxNLsmwUfW for <homenet@ietfa.amsl.com>; Wed, 12 Jun 2019 05:35:20 -0700 (PDT)
Received: from globis01.globis.net (92-111-140-212.static.v4.ziggozakelijk.nl [92.111.140.212]) by ietfa.amsl.com (Postfix) with ESMTP id 9082C120092 for <homenet@ietf.org>; Wed, 12 Jun 2019 05:35:20 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by globis01.globis.net (Postfix) with ESMTP id 50A1B40166; Wed, 12 Jun 2019 14:35:19 +0200 (CEST)
X-Virus-Scanned: Debian amavisd-new at globis01.globis.net
Received: from globis01.globis.net ([127.0.0.1]) by localhost (mail.globis.net [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 480IGTzAmCsj; Wed, 12 Jun 2019 14:35:16 +0200 (CEST)
Received: from MacBook-Pro-3.local (h9041.upc-h.chello.nl [62.194.9.41]) (Authenticated sender: v6ops@globis.net) by globis01.globis.net (Postfix) with ESMTPA id 30154400F9; Wed, 12 Jun 2019 14:35:16 +0200 (CEST)
To: Jacques Latour <Jacques.Latour@cira.ca>
Cc: Daniel Migault <daniel.migault@ericsson.com>, homenet <homenet@ietf.org>
References: <CADZyTkkgd8f49V+yoZvPZXx3b-_YRzpgUY1-obroq9QMLnFWNw@mail.gmail.com> <cca26a8147924f1ab0d9447e3f083e0c@cira.ca>
From: "Ray Hunter (v6ops)" <v6ops@globis.net>
Message-ID: <4fea3a69-a009-908f-fb4d-dd388ea6090b@globis.net>
Date: Wed, 12 Jun 2019 14:35:14 +0200
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:52.0) Gecko/20100101 PostboxApp/6.1.18
MIME-Version: 1.0
In-Reply-To: <cca26a8147924f1ab0d9447e3f083e0c@cira.ca>
Content-Type: multipart/alternative; boundary="------------A79816F9CAC27E8424488C40"
Content-Language: en-US
Archived-At: <https://mailarchive.ietf.org/arch/msg/homenet/uCJrg3lh7_mBzVwhioTIVDCYKJg>
Subject: Re: [homenet] [EXT] securing zone transfer
X-BeenThere: homenet@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF Homenet WG mailing list <homenet.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/homenet>, <mailto:homenet-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/homenet/>
List-Post: <mailto:homenet@ietf.org>
List-Help: <mailto:homenet-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/homenet>, <mailto:homenet-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 12 Jun 2019 12:35:23 -0000
Thanks for the feedback. > first, the gateway does not know for sure which external NS are use by the secondary DNS service, Agreed. The draft needs to address how the service is boot-strapped and auto-configred. > second the IPs of the WAN port might not be the internet facing IPs and this could break inbound connectivity I hope that we're going to be able to move past IP filtering as the primary security mechanism for this draft. Especially in the presence of renumbering. regards, Jacques Latour wrote on 11/06/2019 20:59: > > Daniel, > > In trying to setup our secure home gateway project to have the > external zone & primary DNS server setup and managed on the gateway > itself and to XFR back to secondary name servers somewhere turned out > not be functional or practical, first, the gateway does not know for > sure which external NS are use by the secondary DNS service, second, > the IPs of the WAN port might not be the internet facing IPs and this > could break inbound connectivity. We’re looking at using dynamic DNS > updates for things that need internet connectivity, and have the > primary DNS server on the main land. TSIG & DNS over TLS look like a > good option to look at. > > Jacques > > *From:*homenet <homenet-bounces@ietf.org> *On Behalf Of *Daniel Migault > *Sent:* June 7, 2019 4:03 PM > *To:* homenet <homenet@ietf.org> > *Subject:* [EXT] [homenet] securing zone transfer > > Hi, > > The front end naming architecture uses a primary and a secondary dns > server to synchronize a zone. The expected exchanges are (SOA, NOTIFY, > IXFR, AXFR. We would like to get feed backs from the working group on > what are the most appropriated way to secure this channel. > > Options we have considered are TSIG, IPsec, TLS, DTLS. TSIG does not > provide confidentiality, and we would rather go for user space > security. Are there any recommendation for using TLS or DTLS in that > case ? > > Any thoughts would be helpful. > > Yours, > > Daniel > > > > _______________________________________________ > homenet mailing list > homenet@ietf.org > https://www.ietf.org/mailman/listinfo/homenet -- regards, RayH <https://www.postbox-inc.com/?utm_source=email&utm_medium=siglink&utm_campaign=reach>
- [homenet] securing zone transfer Daniel Migault
- Re: [homenet] securing zone transfer Michael Richardson
- Re: [homenet] securing zone transfer Ray Bellis
- Re: [homenet] securing zone transfer Michael Richardson
- Re: [homenet] securing zone transfer Ted Lemon
- Re: [homenet] securing zone transfer Ray Hunter (v6ops)
- Re: [homenet] securing zone transfer Michael Richardson
- Re: [homenet] securing zone transfer Ted Lemon
- Re: [homenet] securing zone transfer Michael Richardson
- Re: [homenet] securing zone transfer Mark Andrews
- Re: [homenet] securing zone transfer Juliusz Chroboczek
- Re: [homenet] securing zone transfer Michael Richardson
- Re: [homenet] [EXT] securing zone transfer Jacques Latour
- Re: [homenet] [EXT] securing zone transfer Ted Lemon
- Re: [homenet] [EXT] securing zone transfer Michael Richardson
- Re: [homenet] securing zone transfer Juliusz Chroboczek
- Re: [homenet] securing zone transfer Michael Richardson
- Re: [homenet] [EXT] securing zone transfer Ted Lemon
- Re: [homenet] securing zone transfer Juliusz Chroboczek
- Re: [homenet] [EXT] securing zone transfer Daniel Migault
- Re: [homenet] number of devices in homenet Daniel Migault
- Re: [homenet] [EXT] securing zone transfer Ray Hunter (v6ops)
- Re: [homenet] securing zone transfer Ray Hunter (v6ops)
- Re: [homenet] securing zone transfer Michael Richardson
- Re: [homenet] securing zone transfer Ted Lemon
- Re: [homenet] webauthn for routers (was: securing… MIchael Thomas
- Re: [homenet] webauthn for routers (was: securing… Michael Richardson
- Re: [homenet] webauthn for routers Michael Thomas
- Re: [homenet] webauthn for routers Michael Richardson
- Re: [homenet] webauthn for routers Michael Thomas
- Re: [homenet] securing zone transfer Juliusz Chroboczek
- Re: [homenet] securing zone transfer Juliusz Chroboczek
- Re: [homenet] securing zone transfer Michael Richardson
- Re: [homenet] securing zone transfer Ray Hunter (v6ops)
- Re: [homenet] webauthn for routers Michael Richardson
- Re: [homenet] webauthn for routers Michael Thomas
- Re: [homenet] webauthn for routers Ted Lemon
- Re: [homenet] securing zone transfer Juliusz Chroboczek
- Re: [homenet] webauthn for routers Michael Thomas
- Re: [homenet] webauthn for routers Ted Lemon
- Re: [homenet] webauthn for routers Michael Thomas
- Re: [homenet] webauthn for routers Ted Lemon
- Re: [homenet] webauthn for routers Michael Thomas
- Re: [homenet] webauthn for routers Ted Lemon
- Re: [homenet] webauthn for routers Michael Thomas
- Re: [homenet] webauthn for routers Ted Lemon
- Re: [homenet] webauthn for routers Michael Thomas
- Re: [homenet] webauthn for routers Ted Lemon
- Re: [homenet] webauthn for routers Michael Thomas
- Re: [homenet] webauthn for routers Ted Lemon
- Re: [homenet] webauthn for routers Michael Thomas
- Re: [homenet] webauthn for routers Ted Lemon
- Re: [homenet] webauthn for routers Michael Thomas
- Re: [homenet] [EXT] securing zone transfer Ray Hunter (v6ops)